Group/host variable refactor

templates/personal/xps/cmdline.j2

@@ -0,0 +1 @@
+cryptdevice=UUID=4483183a-4881-4bf6-b20c-3ba918642cc4:cryptlvm root=/dev/VolumeGroup/root rw resume=/dev/VolumeGroup/swap pcie_aspm=nommconf i915.fastboot=1 enable_fbc=1 enable_psr=1 disable_power_well=0 acpi_rev_override=1 bgrt_disable

templates/personal/xps/mkinitcpio/1-modules.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+MODULES=(intel_agp i915 i8k)

templates/personal/xps/mkinitcpio/2-hooks.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 resume filesystems fsck)

templates/personal/xps/mkinitcpio/linux-lts.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux-lts.efi"
+default_kver="/boot/vmlinuz-linux-lts"

templates/personal/xps/mkinitcpio/linux.preset.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+#
+# mkinitcpio preset file for the 'linux' package
+
+PRESETS=('default')
+
+default_uki="/boot/EFI/Linux/linux.efi"
+default_kver="/boot/vmlinuz-linux"

templates/personal/xps/network/wg0.netdev.j2

@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ vpn_default.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ vpn_default.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ vpn_default.private_key_path }}
+
+{% for peer in vpn_default.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip.address }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/personal/xps/network/wg0.network.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ vpn_default.interface }}
+
+[Network]
+Address={{ vpn_default.ip }}/{{ vpn_default.prefix }}
+DNS={{ vpn_default.dns }}
+Domains={{ vpn_default.domains | join(' ') }}
+
+{% for peer in vpn_default.peers %}
+{% for ip in peer.allowed_ips %}
+{% if ip.create_route %}
+[Route]
+Destination={{ ip.address }}
+Scope=link
+{% endif %}
+{% endfor %}
+{% endfor %}

templates/personal/xps/network/wg1.netdev.j2

@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+
+[NetDev]
+Name={{ vpn_media.interface }}
+Kind=wireguard
+Description=WireGuard tunnel {{ vpn_media.interface }}
+
+[WireGuard]
+PrivateKeyFile={{ vpn_media.private_key_path }}
+
+{% for peer in vpn_media.peers %}
+[WireGuardPeer]
+PublicKey={{ peer.public_key }}
+PresharedKeyFile={{ peer.preshared_key_path }}
+{% for ip in peer.allowed_ips %}
+AllowedIPs={{ ip.address }}
+{% endfor %}
+{% if peer.endpoint %}
+Endpoint={{ peer.endpoint }}
+{% endif %}
+{% if not loop.last %}
+
+{% endif %}
+{% endfor %}

templates/personal/xps/network/wg1.network.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ vpn_media.interface }}
+
+[Network]
+Address={{ vpn_media.ip }}/{{ vpn_media.prefix }}
+DNS={{ vpn_media.dns }}
+Domains={{ vpn_media.domains | join(' ') }}
+
+{% for peer in vpn_media.peers %}
+{% for ip in peer.allowed_ips %}
+{% if ip.create_route %}
+[Route]
+Destination={{ ip.address }}
+Scope=link
+{% endif %}
+{% endfor %}
+{% endfor %}

templates/personal/xps/network/wireless.network.j2

@@ -0,0 +1,5 @@
+[Match]
+Name=wlan0
+
+[Network]
+DHCP=ipv4

templates/personal/xps/nftables.j2

@@ -0,0 +1,43 @@
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow ssh
+    tcp dport ssh accept
+
+    # syncthing
+    ip saddr 10.0.0.1 tcp dport 22000 accept
+  }
+
+  chain forward {
+    type filter hook forward priority security; policy drop;
+
+    ct state { established, related } accept;
+
+		mark 1 accept
+  }
+}
+
+table ip filter {
+	chain DOCKER-USER {
+		mark set 1
+	}
+}

templates/personal/xps/powertop.service.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Powertop tunings
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/usr/bin/powertop --auto-tune
+
+[Install]
+WantedBy=multi-user.target